It would be super helpful if there was a switch user option on the Portal sign-in. As an admin, we often work with several accounts and it would be nice to just be able to switch users instead of completely signing in or out.
I cannot "Kudos" this enough! Signing out and back in again is not an easy task when you are on SAML for authentication, as Pro just keeps using the Windows account for SSO. Yes, you can use the browser option, but that can also get locked into the SSO as well. Maybe allowing for multiple ArcGIS Pro profiles would be a great solution? This option would allow you to set up Pro differently for each login. Even better, allow you to sync the profile to Enterprise or AGOL, so that if the user, like me, logs in to different machines regularly, the profile can be synced automatically. The profile should also include the license type (whether Named User License, or Concurrent) so that you don't have to keep changing license types if one profile uses a different license type than the other.
@MarlenaIsley@RandyCasey Thank you for your idea and feedbacks. We would like to know more details before considering this enhancement. Why are admins needing to switch between multiple users in Pro? Is there a specific workflow that requires this? Any additional information you can provide would be helpful.
+ @AlfredBaldenweck@wayfaringrob@rumpolda and @rsun_TQB Please see Jonah's question above - since you're also requesting this functionality, it sounds like better understanding everyone's use cases will be helpful.
I just simply see the potential of having the ability to switch between different users when using ArcGIS Pro.
I am Portal Admin and DBA at my organization.
My organization uses SAML for authentication as well, and it is not possible or easy for me to change AD account within Pro to remove locks of our EGDB. My named account doesn't have the power to remove locks of our EGDB, and for cybersecurity reasons...my named account should not have this level of permission of our EGDB. Therefore, we always need to log out on Windows and re-log on with DBA AD account to remove the locks.
Another thing I am thinking may be handy with this feature is to test out different user types or privileges configuration is working properly without calling the end users to test it out.
I simply see features on technology like Gmail or future Microsoft 365 on Microsoft Edge to allow its user to switch between account and remember their custom environment configurations make admin or even some end users life easier. AD accounts or Portal accounts were given different privileges and permissions in order to achieve separation of concerns, but in real word operations these accounts may potentially all belong to the same worker or admin.
The admin account maintains all of our organizational items (feature services (hosted or federated), groups, maps, applications, packages, etc.)
The admin account maintains all applications that are required for ESRI and 3rd party services to authenticate using our Portal's SAML
The admin account is used for all Portal collaborations requiring a user account
In order to maintain organizational control and management of items on our Portals (Enterprise and AGOL) we have an admin account that this tied to our AD admin account, which is accessed by our systems admin (me) and our division manager. By doing this, this admin account can take ownership of, manage/maintain, and consolidate items under one user on the Portal. This is crucial, as in the beginning, we found that having authoritative feature services scattered around multiple users accounts made managing critical data incredibly difficult. When major changes to items were needed (updating a features service, changing permissions, modifying groups), ownership had to be changed, which slowed down the process. Also, just searching for the appropriate service to change ownership took too long, as every user has their own naming conventions. We also found that settings and permissions were not appropriate on a lot of important feature services, risking unintended data changes and/or data loss. Placing all items that needed strict management and control under one account made these issues go away.
At first, my account was being used for this. But as time went on, I was having difficulty managing my own personal projects and our organizational items. Not to mention, if my manager needed to make any changes to any organizational items, he would have to change ownership of those items. We then tried using the site admin account that was created when we first installed Portal, but this caused issues with ArcGIS server, as the owner of the item in Portal was not an account that ArcGIS Server could access, so managing services on our ArcGIS Servers was complicated, if not impossible. So an admin account using our AD admin account was created. This resolved all of our data management issues.
We also found that since we were often accessing our servers under our AD admin account, having the Portal login tied to that account made accessing Portal easier when access was needed (which we found was often), since the AD account was tied to our SAML login service.
Lastly, we had a secure account to store items of staff who have left our organization. When staff leave, we can go in and transfer all items to our admin account. Prior to this, someone had to volunteer to take on storing their orphaned items.
The one drawback is that when we do anything in ArcGIS Pro, we log into a machine under our admin account so that the Portal login is more seamless. This is the most efficient method for us, as the only other method is to sign out of Portal, which disconnects the named user license, change the license type to Concurrent, then sign back into Portal using the ArcGIS Login (because the SAML SSO option automatically defaults to my user login). This takes way longer than just logging into an admin machine under our admin account.
But, if ArcGIS Pro had the ability to store multiple Portal logins, and maintain the appropriate licensing setup with those logins, then all I would have to do is just switch profiles when I needed to put on my admin hat and perform any admin duties. I mean, I can do this on Edge and Chrome (change profiles) when I need to log into Portal as an admin, which is incredibly useful, so why not in ArcGIS Pro?
@rumpolda@wayfaringrob and @AlfredBaldenweck let us know if your situations are similar to those described above or if your reasons for requesting this option are unique. Thank you!
The problems described sound familiar. I would love to see a solution, too I was working with the ArcGIS Assistant some time ago and thought: this Account switcher (but within the same Portal) would be really neat in Arcgis Pro, too: https://guide.assistant.esri-ps.com/docs/working-with-accounts (The example even is the publisher/admin use case)
Why? In addition to the arguments listed above, it is necessary to test workflows with different User Types, Licenses and Access.
1000 times this. We have an authoritative built-in account for our Portal, by and large everyone else uses their Active Directory with SAML to access things. As the administrator some of my services need to be launched from my user for testing or temporary projects; other times, it is easier to log in as the built-in to publish the services directly.
Right now I'm signing in and out of my SAML to the built-in (which I have to open a password manager to copy/paste the extra long credential) and it would be a lot easier if we had a switch button to do the thing. As we expand the use of our portal I'd like to make additional built-ins to handle some of the ho-hum tasks like creating editing applications and other publishing stuff. We over-use the admin accounts currently.
Just so that you are aware, there are portions of this idea that cannot be supported. Instead, there are also workarounds that might be helpful to know.
In the case of SAML/IWA, it is not possible to store credentials for multiple users. We won't be able to support switching between different users in a single Pro session. The design of IWA as an authentication protocol doesn't allow this. (You'll notice that you can't switch between different IWA users in a single web browser session.) However, you can run the ArcPro application as a different Windows user. Pro will be licensed according to the user's licensing method.
@rsun_TQB mentioned removing locks in EGDBs. If you are a database administrator, you can remove locks. See Manage geodatabase locks for more info.
